NCSC

When Free National Security Tooling Goes Away: Why the Retirement of Web Check and Mail Check Matters

Paul Oggelsby

Paul Oggelsby

5 min read

Most organisations don’t have a clear view of their external attack surface, what’s exposed, what’s changed, and where risk may be building over time.

For many UK organisations, the National Cyber Security Centre’s Web Check and Mail Check services have quietly filled part of that gap. They provided a simple, continuous baseline for external cyber hygiene, helping identify common weaknesses in publicly exposed web and email infrastructure.

That is now changing.

The NCSC has confirmed that both services will be retired on 31 March 2026, and has advised organisations to have alternatives in place before then. For security managers and CISOs, this is more than the removal of two free services. It is the loss of a useful layer of continuous external assurance, and for some organisations, the loss of visibility they may not fully realise they depended on.

Why This Matters to Security Leaders

At one level, the retirement makes sense. The NCSC says the market for external attack surface management has matured, and that commercial providers now offer broader and more advanced capabilities than government-run services.

But from a leadership perspective, the issue is not whether commercial alternatives exist. The issue is whether your organisation has the same visibility, the same accountability, and the same operational coverage in place before these services disappear.

That creates two immediate challenges.

First, organisations already using Web Check or Mail Check need to ensure there is no drop in monitoring, reporting, or follow-up once the services are switched off.

Second, organisations that were never using these services should take this as a warning sign. They may already have gaps in visibility around their public-facing web and email infrastructure, and now the simplest route to basic oversight is being removed.

What Web Check Covered

Web Check helped organisations identify a broad set of security and configuration issues across public websites. That included areas such as TLS and certificate health, redirects from HTTP to HTTPS, mixed content, HTTP security headers, secure cookie settings, CORS issues, security.txt, patching signals, XML-RPC exposure, and selected known vulnerabilities.

In short, it provided a broad view of externally visible website hygiene.

That breadth is important, because replacing it is not as simple as buying one tool and assuming the problem is solved.

What Mail Check Covered

Mail Check focused on the email side of the attack surface. It helped organisations improve and monitor controls such as SPF, DKIM, DMARC, SMTP TLS, and MTA-STS.

These are not niche or optional protections. They help prevent attackers from abusing your domains for phishing and impersonation, while also improving the security of email in transit. For many organisations, that is directly tied to brand trust, customer safety, and fraud prevention.

Why the Loss of Mail Check May Be the Bigger Concern

For most CISOs, the retirement of Mail Check should attract the most immediate attention.

Email remains one of the most trusted and most abused channels in the enterprise. Business email compromise, supplier fraud, phishing, and malware delivery all become easier when domain protections are weak, misconfigured, or not actively monitored.

That means Mail Check was never just a helpful technical service. It was supporting a control area with direct business impact.

If your organisation loses visibility here, the consequences are not theoretical. They affect customers, partners, employees, and your brand.

Where We Can Help

For organisations losing Mail Check, this is where we can help most.

We cover the majority of what Mail Check offered, particularly around DMARC and SMTP TLS. Existing customers may already have access to the features they need and may only need to expand how they use them.

That makes this a good moment for current customers to review their setup, confirm which protections are already enabled, and ensure that responsibility for those controls is clearly assigned before the NCSC services are retired.

For new customers, the message is just as important. If you have relied on the NCSC in the past, or if you have never properly addressed these controls at all, now is the time to do so. Strong email authentication and transport security still matter, regardless of who provides the monitoring.

Where the Gap Remains on the Web Side

Web Check is a different story.

It covered a broad set of website security checks, many of which sit across different technical and operational domains. We can help with one important part of that picture: Content Security Policy.

CSP is a valuable control for reducing client-side risk and improving governance over what your applications are allowed to load and execute in the browser. But it is only one part of what Web Check provided.

That distinction matters. Security leaders should be careful not to replace a broad, multi-check service with a narrow point solution and assume the overall risk is covered.

What Security Teams Should Do Now

The right next step is not panic, but assessment.

Security teams should review what Web Check and Mail Check were providing, identify which capabilities are already covered elsewhere, and then address any remaining gaps with intention. That means looking not just at tooling, but at ownership, monitoring, escalation, and reporting.

The key questions are straightforward:

  • Which public-facing services are currently being monitored?
  • Which email protections are in place and enforced?
  • Which external findings generate action?
  • Where are we relying on legacy assumptions, partial implementations, or visibility we are about to lose?

A Governance Issue, Not Just a Tooling Issue

The NCSC’s decision reflects a broader trend: organisations are increasingly expected to own and manage their external security posture through commercial tooling and internal processes, rather than relying on central public services.

That makes this more than a tooling change. It is a governance issue.

For CISOs, this is a moment to make sure that external web and email security are not being treated as background hygiene with no clear owner. The retirement of these services should prompt a deliberate review of your controls, your coverage, and your confidence in what is actually being monitored today.

Final Thought

The retirement of Web Check and Mail Check is not a reason for alarm, but it is a reason to act.

A useful public safety net is being removed. Some organisations will notice immediately. Others may only realise what they were missing once the visibility is gone.

Either way, security leaders should treat this as an opportunity to reassess external web and email exposure, strengthen ownership, and make sure critical protections remain in place after 31 March 2026.

Sources:
Web Check: https://www.ncsc.gov.uk/information/web-check
Mail Check: https://www.ncsc.gov.uk/information/mailcheck
Retirement Notice: https://www.ncsc.gov.uk/blog-post/retiring-mail-check-web-check

Read more